Has anyone been successful getting Enterprise Wi-Fi setup on a 8320/8820 using PEAP security? We have been working with both Cisco and RIM the past several days but have had no luck so far -- cases are still pending from both vendors.

Here is our environment:

WLAN Hardware:
Cisco Wireless LAN Controllers
Cisco Aironet 1000 Series Lightweight Access Points

Authentication/Security:
802.1X to Microsoft IAS RADIUS server (Windows Server 2003 SP1) authenticating against Active Directory (AD)
Authetication-Type: PEAP
EAP-Type: EAP-MSCHAP v2
Server Certificate: CA Signed certificate from VeriSign Class 3 Secure Server CA

We had to load the VeriSign Class 3 Secure Server CA certificate on the BB devices (8320 & 8820), but we have a valid certificate chain and have confirmed the certificates by their serial numbers.

BlackBerry Wi-Fi Device setup:
Security Type: PEAP
Username: <username>
Password: <password>
CA Certificate: VeriSign Class 3 Secure Server CA
Inner link security: EAP-MS-CHAP v2
Server Subject: wifisecurity.example.com
Server SAN: <blank>

Both the 8820 from AT&T and the 8320 from T-Mobile are failing. We are seeing some interesting stuff on the wireless sniffer, but was interested if anyone else has gotten PEAP to work successfully on these devices.

What does the error say on the BB? (Options - Wi-Fi Connections-Menu-Wi-Fi Diagnostics, change the display mode to Advanced)

Can you share what the IAS log says when it fails?

Are the user's credentials successful when using the same on a laptop?

Below is a sample of what we see in the IAS logs for these BlackBerry 8320 and 8820 users. This particular user works fine on a laptop or on a Windows Mobile 6 device (ie: T-Mobile Dash).

User <USER> was denied access.
Fully-Qualified-User-Name = example.com/Users-Developer/<USER>
NAS-IP-Address = 10.123.30.11
NAS-Identifier = WLC-1
Called-Station-Identifier = 00-0B-85-XX-XX-XX:wlan
Calling-Station-Identifier = 00-1C-CC-1C-XX-XX
Client-Friendly-Name = WLC-1
Client-IP-Address = 10.123.30.11
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Authentication - Allow
Authentication-Type = PEAP
EAP-Type = <undetermined>
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client configuration.

The above info tells me the encrypted password portion of the authentication is not occurring because IAS can not determine the EAP type.

We next turned to a wireless sniffer to compare a Windows XP host with a BlackBerry 8320/8820. The only difference in the authentication process is that the BlackBerry device(s) respond with a SSL/TLS encryption error after the certificate is sent from the RADIUS server. Basically the PEAP process starts, the username get passed, and the IAS (RADIUS) server sends the certificate information for the SSL/TLS encryption. Once the last certificate packet is acked, the BlackBerry responds with SSL/TLS encryption failure and is then DeAuthed from the Access Point.

In the advanced Wi-Fi diagnostic tool on both BlackBerry devices it indicates a W010 Error: Wifi Association Failed.

I am down to two theories as to root cause at this time:

1. BlackBerry 802.1X supplicant problem
2. PEAP Misconfiguraiton on the BlackBerry devices

Another thing we tried was modifying the 'Server Subject' field format on the BlackBerry devices putting the fully qualified subject name of our server certificate (ie: CN=wifisecurity.example.com,OU=IT,O=Company, etc) but no change -- same errors. RIM support has indicated this field only needs to be populated with the hostname on the certificate (ie: wifisecurity.example.com or also known as the certificate "friendly name"). It was worth a shot...

Cisco TAC has also come back after analyzing our logs and sniffer traces and believes, at this time, the issue is with the BlackBerry device(s).

We really wish we could share our findings with some RIM engineers or developers. Someone somewhere knows what is going on or how to collect more detailed debugging information from the BlackBerry 802.1X supplicant.

We worked with RIM for several hours yesterday and had a really good customer support rep. RIM has started to ask us good questions, unfortunately, no breakthrough type stuff yet.

Our plan for today is to work with an escalation manager contact at RIM and see if we can get some development or engineering resources (normal customer support reps to not have access to these resources) to at least look at our wireless packet capture. We know that the PEAP process is breaking when the BlackBerry sends back a TLS decrypt error after the certificate is sent from the IAS (RADIUS) Server.

Looks like others in an 802.1X PEAP MS-CHAP v2 WiFi environment are starting to post of problems in other forums too. I knew we could not be the only ones having this issue...

Wi fi conncetion problem with 8820 - RIM BlackBerry Wireless Forums

Hmm. I was able to get both an 8820 and 8320 working on our wifi network at the office. We also use PEAP and radius security. I also had to add a certificate to both bb's b/c the default ones don't match what we are running. That is the only extra thing I had to add. In your setting you indicate a server subject. I don't have anything entered for mine so have you tried eliminating that? Sorry wish I could offer more.

Wesly, in my case there is no server certificate (none is required by Windows when I connect via my notebook), it seems that the BB does not allow this scenario (PEAP without a certificate) :(

We did try blanking the server subject out and we also tried to load the server cert in addition to the intermediate CA cert on the BB, but with no luck.

Still nothing back from the RIM escalation team, but hope to hear something tomorrow...

I was my understanding that PEAP without a certificate was LEAP? Am I wrong about that?

In our environment PEAP uses a server certificate for the password encryption (SSL/TLS) between client and RAIDUS server.

Wi-Fi security is so much "fun"...

Im also having problems with this. First of all how do i even get the certification on to the blackberry.
hopefully this gets solved

thanks for your effort

I got my 8820 working today. I had to install the certificate on the BB. Once it was there, PEAP worked like a charm.
1. Install desktop manager
2. Make sure you install certificate sync
3. launch BBDM
4. Launch cert sync
5. Choose what cert you need
6. sync them.
7. run through WI-FI setup again and you should be connected!!

Thank you i had not installed the cert syn. Now i am just getting w010 failures

Sorry for not keeping this thread current but not much progress over the past month. Our case with RIM has been sent on to the senior developers now who are working with some WLAN specific developers. I suspect we have bug in the BB OS because if this were a simple misconfiguration issue we'd not have this case to this level at RIM.

I'll keep everyone posted.

Hi,

just to let you konw you are not alone with this issue

I am in the same configuration : Cisco - LWAP - IAS Radius - AD
WPA2 - EAP-TLS - PEAP - MS Chap v2
My certificate is a Thawte SGC CA
After uploaded it on my terminal, got the same logs on my radius :
EAP-Type = <undetermined>
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client configuration.

Wait news from RIM...

I had a problem setting up my 8120 today.

We are using PEAP and found that you do indeed require the Intermediate Certificate on your Blackberry and it is this certificate you select for CA Certificate in the options.

Selecting the CARoot certificate did not work.

We used the intermediate certificate too, but it doesn't help.

Oh, we use 8820 4.2.2.124 (2.4.0.58)

We are using Nortel Access Points with IAS. Without the correct certificate, it wouldn't even associate with an AP and you didn't get any logs on the IAS.

Because we don't broadcast our SSID, I have configured it the WLAN configuration on the BES.

Config is as follows

WLAN Link Security EAP-PEAP
WLAN SSID ****WLANNet
WLAN User Name bbwlanuser@*****
WLAN User Password ********
WLAN DHCP Configuration True
WLAN Inner Authentication Mode EAP-MSCHAPV2

The * is to blank at corporate names. All we then had to do was sync the certificates (Intermediate and Root because we use our own Certificate Authority)

Then set the profile to use the intermediate and that's all. If this doesn't work for you, I'd check the APs and Radius settings.

We got an update from BlackBerry support on this issue this morning. Their senior development team discovered that the issue is with the signature algorithm that is used on the VeriSign root certificate.

The VeriSign root certificate (VeriSign Class 3 Public Primary CA – in our environment) uses MD2 with RSA encryption for the signature algorithm and MD2 is not supported in any BlackBerry OS at this time.

I think it would be safe to say that if any CA in your cert chain uses md2RSA as a signature algorithm, your authentication would be broken in the BlackBerry OS. (See attachment for sample certificate screenshot)

RIM has logged "bug" in their development tracking system, but so far has not committed a specific BB OS version for the fix.

We'll keep on top of this and keep you all posted.

That explains my issue.
Keep us updated!


thanks
Mike

thanks, same configuration here. Our Thawte certificate is trusted by the same Verisign C3 md2RSA cert...

Any word on a resolution to this?


Mike

We check status with RIM every couple of weeks, but so far no information that this fix is into a production build yet.

If you are working with BlackBerry support on an issue similar to this, ask them to refer to software tracking number SDR153670. This is their internal defect id that the developers are writing their fix against. If we get enough people pushing on them for this fix, maybe it will help speed things along.

I'll share any non "NDA" (Non Disclosure Agreement) information I get with the group in this thread.

We got word from RIM last week that this issue has been fixed. Due to NDAs with the carriers RIM can not disclose to us the exact release numbers that contain the fix, however, the engineer indicated it was fixed in both 4.2 and 4.3 code.

It typically takes 2-3 months for the carriers to do their internal testing, so cross your fingers and hope for a software release coming soon containing this fix.

hmmm. This is still listed as unresolved on the bb website.

PEAP fails with Verisign CA certificates

RIM has told us this is fixed in the next version(s) of software that has been released to the carriers for their certification process. In addition, they have told us they will not mark it as resolved in their knowledge base until the fix is publically available.

RIM's escalation team has assured us that this will be fixed in a maintenance release of the 4.2 OS as well as the 4.5 (formally known as 4.3) release.
We won’t know until we see the software, but like the rest of the world, we are anxious to get our hands on the 4.5 OS. Rest assured we’ll be testing this first thing when it is released.

If anyone experiencing this issue gets their hands on a beta release of this code, please report any findings.

We haven't seen any thing newer than .184 for 4.2 in ages.

I suspect I am experiencing a similar issue with an md2 certificate my university uses on its Wi-Fi network (PEAP/EAP-MS-CHAP v2). The certificate is "Secure Server Certification Authority, RSA Data Security, Inc., US", and should already be on most Windows computers. The SHA1 thumbprint starts "44 63 C5 31 ...".

Anyway, both the synchronization tool and the phone show the certificate with a yellow question mark, rather than a green check. It is one of the few certificates that I am not allowed to select in the Wi-Fi setup tool. My Blackberry OS is 4.2.2.169 (Platform 2.4.0.67). On the "Details" page of the certificate, it shows "Weak Cert Chain", and "Root Certificate". It also shows "Good on Sat, Apr 19, ..." and "Explicitly Trusted".

If someone could tell me if this is the same thing, I'd appreciate it.

The cert your university is using will always have a yellow question mark because it does not use strong certificate chaining (Root CA, Intermediary CA, etc). Despite that cert being good until 2010, VeriSign will not issue a new cert signed by that CA after sometime this year (and you have to specifically ask for it).

You are probably running into two issues in your setup. One, that cert is not an intermediary CA, so the BB will not let you select that cert in the Wi-Fi configuration for your SSID. Two, that cert does use the MD2 signature hashing algorithm which is not fixed until the 4.3/4.5 handheld software release which we have been waiting a very long time for.

We were initially told to expect the 4.3/4.5 software from the carriers in the March/April timeframe, but that was before RIM yanked some features out of that release at the last minute which caused some delays.

Just a quick update: Today I had the chance to test our corporate Wi-Fi connectivity on a T-Mobile 8120 running BB OS 4.3.0.115 and I can confirm that this issue with the older signature hashing on certificates has been resolved.

We are still waiting for the "official" 4.3/4.5 OS to be released for the older Wi-Fi enabled Berries.

It is amazing that we worked with RIM back in November on this issue and it has taken almost 6 months to finally be able to test the production fix.

RIM has updated the KB Article relating to this issue:

PEAP fails with Verisign CA certificates

Wow, this exact problem has been bugging us for a bit now. As we deploy more and more wifi enabled blackberry (8820 and 8320) this is a request that I am starting to get regularly.

So far my solution is to let my users log on to the "guest" SSID that uses non PEAP logon, and give them year-long special users. not clean. So we are all rooting for the new OS.

we use PEAP on my office, i installed the certificate on my bb, BUT when i go to configure for PEAP the certificate is not on the list (but if i go under options menu, the certificate is in fact on the phone)....anyway around this?

This may be a bit offtopic, but do you know if all carriers release the OS at the same time, or if some carriers will release it before others? (I'm on AT&T.) I assume no one outside RIM knows yet when it'll be released, right? I'd still like to see if the root/intermediate thing is not a serious problem, since I can actually select one of two self-signed certs (not that it helps me connect, but it's a test), and both have a green check mark.

What kind of cert is it? (Root, CA, Personal?) Right now under 4.2 you can only select CA Certs in the Wi-Fi PEAP Setup.

Check your CA certs under: Options --> Security Options --> Certificates. Then press the BlackBerry Menu key and select 'Show CA Certs'. I'm guessing the cert you need is not in that particular list. This should be fixed in 4.3 when it is released.

I'm not really 100% sure how this all works and RIM would not really tell us when we were working with them on this issue. For this particular problem, RIM had the bug resolved way back in January. After RIM resolved the issue, it has to go to the carriers for their testing and customizations -- this can take 6 months plus, especially with the larger release jumps. (4.2 to 4.3) It is not, however, uncommon to see minor version difference across the various carriers. T-Mobile might release 4.2.2.188 and AT&T might release 4.2.2.192 but as far as a timeline amongst the carriers, I don’t know if RIM regulates that or if the carriers have some control.

The twist with OS 4.3/4.5 is that RIM yanked some features at the last minute which may have delayed this process or caused it to start over.

As a side note, we've recieved confirmation from our corporate T-Mobile Rep, that their internal BlackBerry folks are saying the Curve will not have a 4.3 release, but that the 4.5 code should be available sometime this "summer".

only the 8110/8120/8130/8330 devices will have 4.3. There will be 4.5 for everything 87xx and newer at some point.

I have successfully associated my BlackBerry Curve 8320 (T-Mobile, version 4.2.2.180) to the 802.11bg wireless network at my university (more information: Public Internet Access - Overview). It uses 802.1x authentication too. I was initially unsuccessful using PEAP (default), but here are my settings that did work:
When the network first rolled out, Linux users were instructed to use TTLS as the encryption method. That happened to work on Windows when I had to configure a few machines' ipw2200 and ipw3945 cards using Intel's utility. Try that and see if it works for you too. Good luck!

P.S. If you are in a big building with many access points, you should go back into the wireless profile and tick the box next to "Allow inter-access point handover"

Glad to hear that you were able to get yours to work; several others have as well. The specific issue we were running into was that in our 802.1X implementation there was a Verisign certificate in the cert chain that was signed with the MD2 signature hashing algorithm. If you are "lucky" enough to have one of these certs signed with MD2 in your implementation, that issue is not fixed until the 4.3/4.5 handheld software releases. (T-Mobile Corporate Rep telling us September is the latest target date now for 4.5 OS on the 8320).

If your university does not have a cert in the cert chain signed with an MD2 hashing algorithm, you should be good to go.

Dear RIM/T-Mobile,
We are still waiting for the official 4.5 OS.
Sincerely,
Your Customers.

My network accepts either the "Thawte Premium Server CA" or the "Entrust.net Secure Server CA," if that rings any bells. The only thing I see with VeriSign is "VerSign WAP X509 Root."

Hi,

does anyone know how to use a BB 8820 WiFi with an Apple Airport Extreme which is WPA2-protected? At the BB I only get WEP and PSK as options...

Many thanks & regards,

Efi

The BB historically hasn't played well with the Apple Airport Extreme. I suggest updating your OS to the latest 4.5 OS that is available and see if it will work. WPA should be an option on all OS's though.